1. Field of the Invention
The present invention relates generally to a computer implemented method, data processing system, and computer program product for remotely authenticating a user. More specifically, the present invention relates to enhancing secure shell or other remote authentication access to users over insecure network infrastructure.
2. Description of the Related Art
Modern uses of networked computers involve a user operating a data processing system that attaches to a network of other data processing systems. Often, the network can include the Internet. As such, the network may have several nodes that are between a data processing system that the user most directly uses, and a node that the user wants to access.
A user who logs into a node remote from his location may use a remote shell protocol to login to the remote node. However, without additional protocols, information sent to that remote node may be visible to unknown parties that control intermediate nodes through which the user's data packets travel. Consequently, such a user lacks any assurance of privacy with respect to such nodes.
Accordingly, developers created a secure shell protocol to enable some protections for data that crossed networks in this manner. A secure shell protocol is a security protocol that is typically used for the transfer control protocol (TCP) and the internet protocol. The secure shell may be used above any protocol that provides reliable data streams. A reliable data stream is a stream that normally is controlled by a protocol to deliver data packets to a receiver in the same order that the data packets appeared when the packets were sent from the source data processing node. The secure shell protocol assures that packets sent via this channel are encrypted. In addition, the secure shell protocol provides authentication of the sender and receiver of packets.
In order to establish the encrypted channel, a secure shell client initiates an authentication handshake with a secure shell server. A secure shell client is the data processing system that begins the exchange with the server, and generally supports a user entering login identifiers, passwords, and text entry to a command line prompt. The handshake can include, for example, the secure shell client or SSH client transmitting login credential encrypted with a user public key. Accordingly, upon properly authenticating, the secure shell client may provide a man-machine interface from the user to the secure shell server or host. Moreover, the exchanges between this client and the server are protected by encryption placed on the packets communicated to each device.
Multiuser data processing systems likewise, face challenges in that data owned by one user is intended for the private use of that user alone, or for that user and designated colleagues. Accordingly, in such systems, a need arose to compartmentalize access to files to individuals or to groups, based on each user proving his or her identity to the system. One such system stores files using an encrypting file system. An encrypting file system or EFS is a file system that encrypts files using keys stored in a cryptographically protected key store or keystore. Consequently, such files are stored to disk or other media in an encrypted form. The data processing system responds to users that provide inputs through a process of the system called a login process. The login process or shell is the user session by which the user interacts with the data processing system. Keyboard, mouse, and other inputs are entered during a period or session. The session occurs between an authenticated login and the login process termination. Such inputs during this time are treated as inputs from the specific user associated with the login and password given at the beginning of the session.
Although data processing systems have provided ways for a user to authenticate by locally logging into a system and thus accessing the user's keystore, such data processing systems have not provided an equally secure way to authenticate SSH (secure shell) clients, such that access keys for EFS are provided to the client. Moreover, for SSH clients that are enabled for accessing a keystore for EFS, SSH servers are unable to properly allow or disallow such SSH clients from accessing even rudimentary SSH services when the SSH client produces credentials for accessing EFS keystores.